Ricoh Mp C3001 Instruction Manual

							    Page 80 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
7  TOE Summary Specification 
This section describes the TOE summary specification for each security function. The security functions are 
described for each corresponding security functional requirement.   
7.1 Audit Function 
The Audit Function is to generate the audit log of TOE use and security-relevant events (hereafter, audit 
events). This function provides the recorded audit log in a legible fashion for users to audit (audit log 
review). The recorded audit log can be viewed and deleted only by the MFP administrator. 
FAU_GEN.1 and FAU_GEN.2 
The TOE records the audit log items, shown in Table 35, on the HDD in the TOE when audit events shown 
in Table 34 occur. 
Audit log items include basic log items and expanded log items. Basic log items are recorded whenever audit 
logs are recorded, and expanded log items are recorded only when audit events occur and the audit log items 
shown in Table 35 are recorded. 
FPT_STM.1 
The date (year/month/day) and time (hour/minute/second) the TOE records for the audit log are derived from 
the system clock of the TOE. 
FAU_SAR.1, FAU_SAR.2, and FAU_STG.1 
The TOE displays the operation menu for audit logs to be read on a Web browser screen only when it is 
accessed by the MFP administrator. The TOE provides the audit logs in a text format when the MFP 
administrator instructs the TOE to read the audit logs. 
FAU_STG.4 
The TOE writes the newest audit log over the oldest audit log when there is insufficient space in the audit log 
files to append the newest audit log. 
Table 34 : List of Audit Events 
Audit Events 
Start-up of the Audit Function (*1) 
Shutdown of the Audit Function (*1) 
Success and failure of login operations (*2) 
Success and failure of login operations from RC Gate communication interface 
Table 30 Record of Management Function 
Date settings (year/month/day), time settings (hour/minute)  
						

							    Page 81 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
Termination of session by auto logout 
Web Function communication 
Folder transmission 
E-mail transmission 
Printing via networks 
LAN Fax via networks 
Storing document data 
Reading document data (print, download, fax transmission, e-mail transmission, and 
folder transmission) 
Deleting document data 
Success and failure of creation, modification, and deletion of S/MIME user information 
Success and failure of creation, modification, and deletion of destination folders 
Communication with RC Gate 
(*1): The start-up and shutdown of Audit Function are substituted with the TOE start-up event. 
(*2): Login operation by a person who intends to use the TOE via RC Gate communication interface is 
excluded. 
Table 35 : List of Audit Log Items 
 Audit Log Items Setting Values of Audit Log 
Items 
Audit Events to record 
Audit Logs 
Starting date/time of an 
event Values of the TOE system clock at 
an event occurrence 
Ending date/time of an 
event Values of the TOE system clock at 
an event occurrence 
Event types  Audit event identity 
Subject identity  User or TOE identity for an audit 
event caused by the user or TOE 
Basic Log Items 
Outcome  Audit event outcome (success or 
failure) -  All auditable events shown 
in Table 34 
Communication directions  Communication directions 
(IN/OUT) - Web Function 
communication 
-  Communication with RC 
Gate 
Expanded Log Items 
Communicating IP address  Communicating IP address  -  Web Function 
communication 
- Folder transmission 
-  Printing via networks 
-  LAN Fax via networks 
-  Communication with RC 
Gate  
						

							    Page 82 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
 Communicating e-mail 
address Communicating e-mail address for 
e-mail transmission - E-mail transmission 
7.2  Identification and Authentication Function 
The Identification and Authentication Function is to verify whether persons who intend to use the TOE are 
authorised users (MFP administrator, supervisor, normal users, and RC Gate) by referring to the 
identification and authentication information obtained from the users, so that only persons who are 
confirmed as authorised users are allowed to use the TOE. Verification methods for normal users include 
those by Basic Authentication and External Authentication. Either Basic Authentication or External 
Authentication will be selected when the TOE is installed. 
FIA_UAU.1(a) and FIA_UID.1(a): Application of Basic Authentication 
The TOE identifies and authenticates a user by checking the login user name and login password entered by 
the user. However, regarding the viewing of user job lists, Web Image Monitor Help from a Web browser, 
system status, the counter and information of inquiries, execution of fax reception, and repair request 
notifications, the TOE identification and authentication is not required for the use of the TOE. 
When the TOE is used from the Operation Panel or a Web browser, the screen for a user to enter his or her 
login user name and login password is displayed, and this screen will be displayed until the entry of the login 
user name and login password is complete. 
When the TOE is used from the printer driver or fax driver, the TOE receives the login user name and login 
password entered from each driver by a user. 
When the entered login user name is the login user name of a normal user, MFP administrator, or supervisor, 
the TOE checks if the entered login password match with the one pre-registered in the TOE. 
FIA_UAU.1(b) and FIA_UID.1(b): Application of External Authentication 
The TOE identifies and authenticates a user by checking the login user name and login password entered by 
the user. However, regarding the viewing of user job lists, Web Image Monitor Help from a Web browser, 
system status, the counter and information of inquiries, execution of fax reception, and repair request 
notifications, the TOE identification and authentication is not required for the use of the TOE. 
When the TOE is used from the Operation Panel or a Web browser, the screen for a user to enter his or her 
login user name and login password is displayed, and this screen will be displayed until the entry of the login 
user name and login password is complete. 
When the TOE is used from the printer driver or fax driver, the TOE receives the login user name and login 
password entered from each driver by a user. 
When the entered login user name is the login user name of MFP administrator or supervisor, the TOE 
checks if the entered login password matches with the one pre-registered by the MFP administrator or 
supervisor in the TOE. 
When the entered login user name is not the login user name of the MFP administrator or supervisor, the 
entered login user name and login password are sent to an external authentication server for confirmation.  
						

							    Page 83 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
When the sent login user name and login password are identified and authenticated, the user is allowed to use 
the TOE according to the identified user role. 
FIA_USB.1, FIA_ATD.1, and FMT_SMR.1 
If a user is identified and authenticated as a result of checking FIA_UAU.1(a), FIA_UID.1(a), 
FIA_UAU.1(b), and FIA_UID.1(b), the use of the TOE by the user is allowed as the identified user role 
(normal user, MFP administrator, or supervisor). The user role assigned to the user at login will be 
maintained until the user logs out. If user identification and authentication fails, use of the TOE is denied. 
FTA_SSL.3 
The automatic logout function the TOE provides is activated if the auto logout time (60 - 999 seconds) 
specified by the MFP administrator elapses after the final operation from the Operation Panel by the user 
who logs on to the TOE from the Operation Panel.   
The automatic logout function the TOE provides is activated if the fixed auto logout time (30 minutes by 
default) elapses after the final operation from a Web browser by the user who logs on to the TOE from a 
Web browser. 
The TOE logs out immediately after receiving the print data from the printer driver. 
The TOE logs out immediately after receiving the transmission information from the fax driver. 
The TOE terminates a session with RC Gate immediately after the communication with RC Gate is 
complete. 
FIA_UAU.7 
Regarding login passwords entered by a person who intends to use the TOE from the Operation Panel or a 
Web browser, the TOE does not display the entered login password but it displays a sequence of dummy 
characters whose length is the same as that of the entered password. 
FIA_AFL.1 
When Basic Authentication is applied, the TOE counts the number of identification and authentication 
attempts that consecutively result in failure using the login user name of a normal user, MFP administrator, 
or supervisor. When External Authentication is applied, the TOE counts the number of identification and 
authentication attempts that consecutively result in failure using the login user name of an MFP administrator 
or supervisor. The TOE locks out the login user name if the number of consecutive login failures exceeds the 
number of attempts before lockout. 
If a user name is locked out, the user with that user name is not allowed to log in unless the lockout time set 
in advance elapses or an unlocking administrator shown in Table 36 and specified for each user role 
releases the lockout. 
Table 36 : Unlocking Administrators for Each User Role 
User Roles (Locked out Users) Unlocking Administrators 
Normal user  MFP administrator  
						

							    Page 84 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
Supervisor MFP administrator 
MFP administrator  Supervisor 
FIA_SOS.1 
Login passwords for users can be registered only if these passwords meet the following conditions: 
(1)  Usable characters and types: 
Upper-case letters: [A-Z] (26 letters) 
Lower-case letters: [a-z] (26 letters) 
Numbers: [0-9] (ten digits) 
Symbols: SP (space) !  # $ % &  ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ (33 symbols) 
(2)  Registrable password length: 
- For normal users 
No less than the minimum character number for password (8-32 characters) specified by the MFP 
administrator and no more than 128 characters. 
- For MFP administrators and a supervisor 
No less than the minimum character number for password (8-32 characters) specified by the MFP 
administrator and no more than 32 characters. 
(3)  Combination of character types: 
The number of combined character types specified by the MFP administrators (two types or more, or 
three types or more). 
FIA_UAU.2, FIA_UID.2, and FIA_USB.1 
A certificate is a set of identification and authentication information of RC Gate. 
When the TOE receives a certificate from an IT device to access the TOE via RC Gate communication 
interface, the TOE checks if the certificate matches another certificate installed in the TOE. Only if the 
certificate sent from the IT device matches the one installed in the TOE so that the IT device is identified as 
RC Gate, the IT device whose user role is RC Gate is allowed to use the TOE. 
FPT_FDI_EXP.1 
The TOE inputs information after the TSF reliably identifies and authenticates the input information from the 
Operation Panel or the client computer via LAN interface. Therefore, the input information cannot be 
forwarded unless the TSF is not involved in information identification and authentication. 
7.3  Document Access Control Function 
The Document Access Control Function is to allow authorised TOE users to operate document data and user 
jobs in accordance with the provided user role privilege or user privilege. 
FDP_ACC.1(a) and FDP_ACF.1(a) 
The TOE controls user operations for document data and user jobs in accordance with (1) access control rule 
on document data and (2) access control rule on user jobs.  
						

							    Page 85 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
(1)  Access control rule on document data 
The TOE provides users with the interface for stored documents to be printed, downloaded to the client 
computers, sent by fax, sent by e-mail, sent to folders, and deleted. The interface enables users to delete 
all the stored documents. 
Users authorised to operate stored documents are MFP administrator and normal users. The supervisor 
and RC Gate are not allowed to operate stored documents. 
When the MFP administrator or a normal user logs in from the Operation Panel or a Web browser, the 
TOE displays a list of the stored documents whose operations are authorised and the menu for the 
authorised operations (printing, downloading to the client computers, fax transmission, e-mail 
transmission, sending to folders, deletion, and deletion of all files). 
When the MFP administrator logs in from the Operation Panel or a Web browser, the TOE displays a list 
of all the stored documents and the operation menu for deletion and deletion of all files. The MFP 
administrator can select and delete a document from the list of the stored documents or all documents. 
When a normal user logs in from the Operation Panel or a Web browser, the TOE displays a list of the 
stored documents that register the login user names of the normal users who logged in to the document 
user list, and an operation menu. They will be displayed according to the rules shown in Table 37. The 
privileges that allow users to edit the document user list are shown in 7.8 Security Management 
Function. 
Also, the TOE allows only the user job owner to view and delete the document data handled as a user 
job while Copy Function, Printer Function, Scanner Function, Fax Function, or Document Server 
Function is being used. 
While no interface to change job owners is provided, an interface to cancel user jobs is provided. If a 
user job is cancelled, any document the cancelled job operates will be deleted. 
Table 37 : Stored Documents Access Control Rules for Normal Users 
I/F to be Used Available Functions   
for Users 
Types of Stored Documents 
displayed in the List 
Operations  
displayed on the Menu 
Operation 
Panel  Document Server 
Function Document Server documents Print 
Delete 
Operation 
Panel Document Server 
Function Fax transmission documents Print 
Delete 
Operation 
Panel Printer Function  Printer documents Print 
Delete 
Operation 
Panel Scanner Function  Scanner documents E-mail transmission 
Folder transmission 
Delete 
Operation 
Panel Fax Function  Fax transmission documents Fax transmission 
Folder transmission 
Print 
Delete 
Operation 
Panel Fax Function  Fax reception documents Print 
Delete  
						

							    Page 86 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
Web browser Document Server 
Function Document Server documents Print 
Delete 
Web browser Document Server 
Function Scanner documents E-mail transmission 
Folder transmission 
Download 
Delete 
(Operations above are 
authorised only if normal 
users are privileged to use 
Scanner Function) 
Web browser Document Server 
Function Fax transmission documents Fax transmission 
Download 
Print 
Delete 
(Operations above are 
authorised only if normal 
users are privileged to use 
Fax Function) 
Web browser  Printer Function  Printer documents Print 
Delete 
Web browser  Fax Function  Fax reception documents Print 
Download 
Delete 
(Operations above are 
authorised only if normal 
users are privileged to use 
Document Server 
Function) 
 
(2)  Access control rule on user jobs 
The TOE displays on the Operation Panel a menu to cancel a user job only if the user who logs in from 
the Operation Panel is a user job owner or MFP administrator and a cancellation of a user job is 
attempted by the owner or MFP administrator. Other users are not allowed to operate user jobs. 
When a user job is cancelled, any documents operated by the cancelled job will be deleted.   
However, if the document data operated by the cancelled user job is a stored document, the data will not 
be deleted and remain stored in the TOE. 
7.4 Use-of-Feature Restriction Function 
The Use-of-Feature Restriction Function is to authorise TOE users to use Copy Function, Printer Function, 
Scanner Function, Document Server Function and Fax Function in accordance with the roles of the identified 
and authenticated TOE users and user privileges set for each user.  
						

							    Page 87 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
FDP_ACC.1(b) and FDP_ACF.1(b) 
The TOE verifies the role for an authorised TOE user who attempts to start operating Copy Function, Printer 
Function, Scanner Function, Document Server Function, and Fax Function. 
If the role is that of normal user, the user can operate only functions that are included in the available 
function list set for each normal user. 
If the role is that of MFP administrator, the user can operate Fax Reception Function that corresponds to 
MFP management. 
If the role is that of supervisor and RC Gate, using any functions is not allowed. 
7.5 Network Protection Function 
The Network Protection Function is to provide network monitoring to prevent information leakage when 
LAN is used and to detect data tampering. 
FTP_ITC.1 
The encrypted communications provided by the TOE differ depending on communicating devices. Table 38 
shows the encrypted communications provided by the TOE. 
Table 38 : Encrypted Communications Provided by the TOE 
Encrypted communications provided by the TOE Communicating 
Devices Protocols Cryptographic Algorithms 
Client computer  TLS1.0  AES(128bits, 256bits), 3DES(168bits) 
External 
authentication server
 
Kerberos AES(128bits, 256bits), 3DES(168bits) 
RC Gate  SSL3.0, TLS1.0  AES(128bits, 256bits), 3DES(168bits) 
FTP server  IPSec  AES(128bits, 192bits, 256bits), 3DES(168bits) 
SMB server  IPSec  AES(128bits, 192bits, 256bits), 3DES(168bits) 
SMTP server  S/MIME  3DES(168bits) 
7.6  Residual Data Overwrite Function 
The Residual Data Overwrite Function is to overwrite specific patterns on the HDD and disable the reusing 
of the residual data included in the deleted documents, temporary documents and their fragments on the 
HDD. 
FDP_RIP.1 
Methods to delete the HDD area through overwriting include sequential overwriting and batch overwriting. 
For sequential overwriting, the TOE constantly monitors the information on a residual data area, and 
overwrites the area if any existing residual data is discovered. If the user deletes document data, the TOE  
						

							    Page 88 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
applies the method specified by the MFP administrator and overwrites the area on the HDD where the digital 
image data of the document data is stored. Also, when a user job is complete, the TOE applies the method 
specified by the MFP administrator and overwrites the area on the HDD where temporary documents that are 
created while a user job is executed or the fragments of those temporary documents are stored. 
For batch overwriting, the TOE collectively overwrites the HDD with the method specified by the MFP 
administrator. 
Overwriting methods include NSA method, DoD method, and random number method. An overwriting 
method is specified by the MEP administrator when the TOE is installed. NSA method overwrites twice by 
random numbers and once by Null(0). The DoD method overwrites once by fixed value, once by its 
complement, and further by random numbers to be verified afterwards. Random number method overwrites 
for three to nine times by random numbers. The MFP administrator specifies the number of times to 
overwrite when the TOE is installed. 
7.7  Stored Data Protection Function 
The Stored Data Protection Function is to encrypt the data on the HDD and protect the data so that data 
leakage can be prevented. 
FCS_CKM.1 and FCS_COP.1 
The TOE encrypts data before writing it on the HDD, and decrypts the encrypted data after reading it from 
the HDD. This process is applied to all data written on and read from the HDD. Detailed cryptographic 
operations are shown in Table 39. 
Table 39 : List of Cryptographic Operations for Stored Data Protection 
Encryption-triggering 
Operations 
Cryptographic 
Operations Standard Cryptographic 
Algorithm 
Key 
Size 
Writing data to HDD  Encrypt 
Reading data from HDD  Decrypt FIPS197 AES 256 bits 
 
Following operations by the MFP administrator, the TOE generates a cryptographic key. If a login user is the 
MFP administrator, the screen to generate an HDD cryptographic key is provided from the Operation Panel. 
If the MFP administrator gives instructions to generate an HDD cryptographic key from the Operation Panel, 
the TOE uses a genuine random number generator and generates random numbers that conform to the 
standard BSI-AIS31. 
7.8 Security Management Function 
The Security Management Function consists of functions to 1) control operations for TSF data, 2) maintain 
user roles assigned to normal users, MFP administrator, or supervisor to operate the Security Management 
Function, and 3) set appropriate default values to security attributes, all of which accord with user role 
privileges or user privileges that are assigned to normal users, MFP administrator, or supervisor.  
						

							    Page 89 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
FMT_MSA.1(a), FMT_MSA.1(b), FMT_MSA.3(a), FMT_MTD.1, FMT_SMF.1 and FMT_SMR.1 
The TOE allows operations for TSF data according to the rules described in Table 40. 
Table 40 : Management of TSF Data 
TSF Data Operation 
Interface 
Operations Users 
Newly create, 
query, 
modify, 
delete MFP administrator 
Login user names of normal users 
when Basic Authentication is 
applied Operation Panel, 
Web browser 
Query Applicable normal 
user 
Login user names of normal users 
when External Authentication is 
applied (*1) Operation Panel, 
Web browser Newly create, 
query, 
modify, 
delete MFP administrator 
Login user name of supervisor Operation Panel, 
Web browser Query, 
modify Supervisor 
Newly create  MFP administrator 
Query, 
modify Applicable MFP 
administrator Login user name of MFP 
administrator Operation Panel, 
Web browser 
Query Supervisor 
Document data attributes No operation 
interfaces available No operations 
allowed - 
Document user list 
Stored document types are 
Document Server document, 
scanner document, fax document 
and printer document (with stored 
print) Operation Panel, 
Web browser Query, 
modify MFP administrator, 
applicable normal 
user who stored the 
document 
Document user list 
Stored document type is fax 
received document(*2) Operation Panel, 
Web browser Query, 
modify MFP administrator 
Default values of the document 
user list Operation Panel, 
Web browser Query, 
modify MFP administrator, 
applicable normal 
user who stored the 
documents 
Query, 
modify MFP administrator 
Available function list Operation Panel, 
Web browser Query 
(Query is 
unavailable for 
External 
Authentication) Applicable normal 
user